Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 93db67b2afdb222d…

MALICIOUS

Office (OLE) / .PPT

72.0 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint
MD5: 4ae4d1d18eaeef92b7af313881a07b4b SHA-1: 20b592aa683f5fbd6ab1a1ef3e14fba01ec31bb3 SHA-256: 93db67b2afdb222df7cd8b2d328917da282469441b9150e79d22e35cce3fdb69
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a PowerPoint file containing VBA macros. The critical heuristic firing indicates the use of the Shell() function, which is commonly used to execute arbitrary commands or download and run additional payloads. The presence of an Auto_Close macro further suggests that the malicious code is designed to execute automatically when the presentation is closed. No specific family could be identified, and no external IOCs were extracted.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6d29f01522aae3fd9180f07f42cabe0398d171c2e0aadbdbb34a89ee060a3b14		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 539 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.